Catching bugs: How Microsoft set up its bounty program

SAN FRANCISCO – When Katie Moussouris first tried to launch a program to pay security researchers for finding bugs in Microsoft Corp.’s programs in 2010, she felt she was facing the impossible.

Microsoft had sworn it wasn’t going to pay for discovering its bugs, and the reason was simple: Back then, more than 90 per cent of the vulnerabilities Microsoft was hearing about came from white market security researchers, who were doing it for free.

In return for notifying Microsoft about what they had found, they might get a one-line mention or credit to their name in bullet-point form for a small discovery, said Moussouris, senior security strategist lead at Microsoft told the RSA conference here last week.

But what was really happening was that some researchers were selling their exploits and vulnerabilities to grey market brokers, who might in turn sell the information to vendors as well as to other customers. Prices are often in the $20,000 range, she added.

And then there’s the black market – like its non-security-related counterparts, this is where security researchers would work with brokers to sell their exploits to governments and organized crime rings. Prices often hit more than US$1 million, and brokers can charge a subscription-based fee for every month that a vendor remains unaware of the bug. That allows hackers to bide their time and launch an attack when they know a vendor is most vulnerable.

“We couldn’t just throw money at it … we never would have been able to outbid the black market,” said Moussouris. “So we’re not trying to outbid them, but we’re trying to offer the right incentives at the right time.”

Last June she convinced the higher-ups at Microsoft that having a bug bounty program was a good thing. Using data on researchers and their bug-reporting habits, she showed researchers were holding off telling Microsoft about what they had found because they didn’t have an incentive to report them earlier.

By introducing Microsoft’s bounty program in October 2013, not only was the company learning more about problems with its code, but it was also connecting with researchers in a more meaningful way, Moussouris said. Before it could only reach a handful of researchers through contests like Pwn2Own, or rely on white market researchers to report what they’d found for free.

In December Microsoft made its first top tier payout of $100,000 to James Forshaw, a security researcher based in the U.K. And on Feb. 14 Microsoft made out another $100,000 cheque to a researcher for finding a vulnerability. The company paid out more than $253,000 in the first five months of the program.

“Most security researchers today are still human … All humans are motivated by some mix – compensation, recognition, or what I call the pursuit of intellectual happiness,” she said.

“We had some security goals. Obviously, we wanted to learn about any vulnerabilities that our security development lifecycle might have missed, learn about new mitigation bypass techniques, different from individual bugs, as early as possible after [a product] release.”

“What do you think that does to the black market?” she added. “It ruins their investments and [we] can smoke them out.”

Companies that want to start their own bounty programs should first think about what they want to accomplish, Moussouris said, adding that not every company will have a need.

First, recognize that vendors cannot penetrate-test their way to security, she said. Instead, they need to build programs with security in mind from the ground up. What may be more helpful than a bug bounty program may be to invest in a security development team.

Second, organizations need to check their data and see what it’s telling them. What kinds of vulnerabilities are researchers finding? Are these researchers reporting them to brokers or directly to the organizations themselves? While it didn’t necessarily make sense for Microsoft [Nasdaq: MSFT] to offer a bounty program in 2010, that didn’t hold true in 2013, and that was because the data began telling a different story, Moussouris said.

Finally, organizations need to focus on catching bugs early by working with the security community. Thanks to her own background in penetration testing, Moussouris said she feels it’s important to develop relationships with the white and grey markets, as well as researchers, engineers, and other security professionals, rather than seeing them as the bad guys.

Vendors should also prioritize finding vulnerabilities for their newest and most popular products, she added, and they must ensure they know what to with vulnerabilities when they find them.

Award Winning Journalism

About Us

The Content Experts

For almost three decades we have been building solid relationships with Canada’s IT professionals by delivering timely, incisive information that helps them succeed in their jobs. Today, more than 75,000 IT executives and professionals – representing 70 per cent of the buying power in Canada – turn to us for the information they trust.